Network system analysis

ABSTRACT

Apparatus for producing an electronic model of a communications network or system having at least one host and a plurality of nodes connected thereto, directly or otherwise, the apparatus comprising means for obtaining data relating to at least some of the nodes and/or the host and means for creating an electronic model of the system or network using the data. The apparatus comprises a trusted computer host for use in analysing the network. The trusted computer host comprises means for detecting nodes on the network. As nodes are detected, sampling probes are inserted at each such node wherever possible. The probes take measurements at the respective nodes and return the resultant data to the trusted computer host. For a case where it is not possible to insert a probe at a detected node, the trusted computer host comprises means for performing traffic analysis and obtaining a profile of behavior between that node and the network host. The data received from the probes and the traffic analysis data is used by model simulation means in the trusted computer host to create a model of the network.

FIELD OF THE INVENTION

This invention relates to system analysis and, in particular, to thearchitectural evaluation and future capacity planning in respect of acommunications system or network having at least one host and aplurality of nodes connected thereto, directly or otherwise,

BACKGROUND TO THE INVENTION

There are many circumstances in which it is required to monitor andanalyse the operation of systems, so that, for example, any potentialproblems can be identified and solved, and predictions regarding futureoperation of such systems can be made. For example, it may be requiredto monitor the operation of a computer network consisting of tens,hundreds or even thousands of computer stations, having many points ofcontrol.

One known method of achieving this analysis is to build an electronicmodel of the system using manual identification of the systemarchitecture. In other words, an operator identifies the systemarchitecture including its host and all nodes connected thereto andcreates an electronic model of the entire system accordingly. In orderto run such a system model, it is necessary to obtain measurementsdirectly from the real system, and use these to run the model. Themeasurements taken will depend largely on what information is requiredto be obtained from the model. For instance, in one arrangement, suchmeasurements may be obtained by tracking all data packets beingtransported around the real system and between nodes. As a particularexample, in a trusted computer platform, the measurements may compriseround trip times of all packets being transported through the system.

Once the model is being run using measurements or data obtained from thereal system, it can be manipulated to investigate various factors,including a reaction to a failure at certain points in the system, theeffect of a failure of a certain length of time and/or level, possiblydepending on the current load on the system, and the cost implicationsof such a failure, as well as future capacity requirements and theireffects on the operation of the system.

However, there are a number of problems associated with this type ofmanual identification of system architecture and building of a networkmodel. Firstly, it is prone to error as it can be extremely difficult toaccurately identify the network architecture. Secondly, it is difficultand time-consuming to keep it up to date. In any event, the resultantmodel may be cumbersome in the sense that it can often become ascomplicated as the system it is intended to represent. Finally, themethod described above may not be suitable as analysis methodologies andrequirements change.

We have now devised an arrangement which overcomes the problems outlinedabove.

SUMMARY OF THE INVENTION

Thus, in accordance with the present invention, there is provided anapparatus for producing an electronic model of a communications networkor system having at least one host and a plurality of nodes connectedthereto, directly or otherwise, the apparatus comprising a detectionapparatus for determining the presence of and identifying nodes in thenetwork or system, a data collection system for obtaining data relatingto at least some of said nodes and a modelling apparatus for creating anelectronic model of said system or network using said data.

A “node” in the context of the present invention will be understood tomean only an intermediate or endpoint telecommunications device includedin the telecommunications network, which can communicate with one ormore of the other devices in the network and/or the host.

Thus, instead of manually identifying the system architecture, creatinga model of the system and then using data from the real system to runthe model, the present invention uses data gathered from the system tocreate and run a model thereof (without having to manually identify thesystem architecture in the first place). By using network data toautomatically generate a model of the network, a user can be sure thatthe model is up-to-date. The model may be translated into a plurality ofrepresentations for differing analysis purposes, including capacityplanning, quality of service issues, investigation of faultconsequences, impending critical timing excess, etc.

In a preferred embodiment of the invention, the apparatus comprisesinserting sampling probes (wherever possible) at the identified nodesfor taking measurements therefrom. For the case where it is not possibleto insert a probe at a node, the apparatus preferably comprises meansfor performing traffic analysis or the like at that node in order toobtain a profile of its behaviour relative to the host (and vice versa).The data returned from either the sampling nodes or the traffic analysisis used to construct a model of the network, which may be simulated (forexample, through a Demos 2000 simulation environment or the like) and/ortranslated into some other format for analysis (for example, PetriNets/Queue Analysis or the like).

The apparatus knows which probe (and therefore which node) data isreceived from and/or which point in the system the traffic analysisrelates to, and the apparatus uses the data itself and the location inthe system from which it is obtained to create a model from the systemand update it as required.

Live or real-time data is preferably continuously applied to the modelin order to maintain it up-to-date. The model is preferably run in superreal time (i.e. faster than the system under consideration would behave)to facilitate fault analysis, fault/QoS failure, and capacity planning.In any event, the apparatus preferably comprises means for analysing themodel and for providing information relating to any problems identifiedwithin the system, future capacity requirements, and/or the effect ofany future system load changes.

BRIEF DESCRIPTION OF THE DRAWINGS

An embodiment of the present invention will now be described by way ofexample only and with reference to the accompanying drawing which is aschematic block diagram of apparatus according to an exemplaryembodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

As shown in FIG. 1, a typical communications network 10 comprises atleast one computer host 12 and a plurality of computing stations ornodes 14 connected thereto. An apparatus according to an exemplaryembodiment of the present invention comprises a trusted computer host 16for use in analysing the network 10. The concept of a trusted computerplatform is described in detail in the applicant's co-pendingapplication WO00/48063—in essence, a trusted computer platform is onewhich the user can reply upon to behave in a predictable manner withoutsubversion. While advantageous to use a trusted computer platform ashost, this is not essential to practice of the invention. The trustedcomputer host 16 comprises means 18 for detecting nodes 14 on thenetwork. There are many different means currently available and widelyknown in the art for detecting nodes on a network. One of the mostcommon and widely known is referred to in the art as “PING”, which isshort for “Packet Internet Groper”. PING is generally implemented as asoftware application which can be used to determine whether a specificnode (or IP) address is accessible, and works by sending a packet to thespecified address and waiting for a reply. The application can identifythe addresses of the nodes on the network from a predefined table ofsuch addresses which may be available via the host. In this case, itsimply identifies those which are accessible in the above-describedmanner. However, some versions of this type of application can identifythe addresses of nodes in the network either from analysis of theheaders of packets being transmitted between the nodes and the host,and/or by interrogating the router(s) governing such packettransmission.

As nodes 14 are detected, sampling probes 20 are inserted at each suchnode 14 wherever possible. The probes 20 take measurements at therespective nodes and return the resultant data to the trusted computerhost 16. Again, there are a number of applications currently availablefor inserting sampling probes at each node (wherever possible) of thenetwork. One such application is provided by the HP Open View NetworkNode Manager and generates by detecting devices in a network and theirrelative layout (similar to the “PING” function defined above). Inaddition, however, the application can be configured to monitor selectednetwork connections, i.e. insert “sampling probes” to collect requireddata from such connections. The data collected will depend upon thenetwork analysis being performed. As a simple example, the applicationcan be configured to monitor each network connection and collect dataindicating the number of packets travelling across that connection, foruse in capacity determination and planning. However, it can also beconfigured to collect additional data, such as the types of packettravelling across the probed connection(s), for use in more complexnetwork analysis. As such, it will be appreciated that the term “probe”in the context of the present invention refers to the insertion of sometype of monitoring function at a node to collect selected data.

For the case where it is not possible to insert a probe 20 at a detectednode 14, the trusted computer host 16 comprises means 22 for performingtraffic analysis and obtaining a profile of behaviour between that node14 and the network host. 12. The traffic analysis to obtain a profile ofbehaviour between a node (at which no probe can be inserted) and thehost can be performed in a number of different ways known in the art.One such method of traffic analysis involves the collection of datadefining the traffic between the node and the host, e.g.

-   -   AABABBAAABABAABAA . . . etc. (up to 1000 symbols or more)        where A denotes the transmission of a packet from the host to        the node and B denotes the transmission of a packet from the        node to the host; calculating a number of predefined parameters        computed from the collected data and defining a probability        distribution representing the profile of behaviour between the        node and the host. One specific method involves the definition        of a phase distribution model of the collected data to represent        the required profile of behaviour, as described in detail in        references such as: (1) M. F. Neuts, “Matrix-Geometric Solutions        in Stochastic Models”, John Hopkins University Press,        1981; (2) M. F. Neuts, “Structural Stochastic Matrices of M/G/1        Type and their Applications”, Marcel Dekker, 1989; (3) M. F.        Neuts, “Matrix Geometric Solutions in Stochastic Models, Dover        Publications, 1995.

The resultant model gives a relatively compact model representative ofthe flow of traffic between the node and the host and, as such, arelatively accurate representation of the profile of behaviour betweenthe two.

The data received from the probes 20 and the traffic analysis data isused by model simulator means 24 in the trusted computer host 16 tocreate a model of the network 10. A super real-time simulator controller26 is used to run the model. The model simulator means may comprise anyknown such means, similar for example, to the “Paramics” trafficsimulator. This type of simulator enables real-time simulation of roadnetworks and the associated traffic thereon, and can be used to modelhighly confessed networks and Intelligent Transportation Systemsinfrastructures. In addition, such known simulators include the abilityto run the model in super-real time (i.e. faster than real time).Similar simulators are known in the fields of air traffic control,public transport, and drainage systems, and the same principles can beapplied to the simulator for use in the present invention.

In general, as stated above, simulation in the case of the presentinvention may be accomplished in many ways, however one of the morecommon mechanisms for simulating the behaviour of a group of componentswithin a network is “discrete event” simulation. A simple example ofsuch a system is given below.

Each object within the system may be represented as an automaton thatreacts to (a) changes in time and (b) interactions with other objectswithin the system. The simulator maintains a master “clock” and a listof events with their associated times of execution. The simulatoroperates by continuously advancing the clock to the “next event” tooccur and advancing each automata in order to represent the effect ofthe event. Thus arbitrary period of system activity can be represented.Since the simulation is almost always simpler than the system beingsimulated, in many cases it is possible to run the simulator faster thanreal time, i.e. super-real time, where one second of simulation time(say) may represent many hours of real system time.

In addition, live or real time data obtained from the network is fed tothe controller 26 to update the model. Means 28 are also provided forautomatically analysing the network 10 as a whole and/or various pointstherein in order to identify faults, analyse the effect of potentialfaults and provide information regarding future capacity requirementsand the effect of any future change in load on the network. Suchanalysis features are also available in known network simulators, andthe principles applied therein can be applied in the apparatus of thepresent invention.

In the foregoing specification, the invention has been described withreference to specific exemplary embodiments thereof. It will, however,be apparent to a person skilled in the art that various modificationsand changes may be made thereto without departing from the broaderspirit and scope of the invention as set forth in the appended claims.Accordingly, the specification and drawings are to be regarded in anillustrative, rather than a restrictive, sense.

1. Apparatus for producing an electronic model of a communicationsnetwork, the apparatus comprising: a data collection system forobtaining data relating to probes inserted at a plurality of firstnetwork nodes and using the probes to obtain network data for thosenodes, a traffic analysis arrangement for analysing, from an externallocation, traffic to and from one or more second nodes in which probesare not inserted; using the traffic analysis to calculate at least onepredefined parameter; and using the at least one parameter to define aprobability distribution representing a behaviour profile between thesecond nodes and the external location; and modelling apparatus forcreating an electronic model of said network by combining said datacollected from the first nodes and the behaviour profile.
 2. Apparatusaccording to claim 1, wherein the model may be translated into aplurality of representations for differing analysis purposes. 3.Apparatus according to claim 1, being arranged to determine presence ofand identifying nodes in the network and to insert sampling probes atsaid identified nodes in parts of the network for taking measurementstherefrom.
 4. Apparatus according to claim 3, wherein the data returnedfrom either the sampling nodes or the traffic analysis is used toconstruct a model of the network, which may be simulated and/ortranslated into some other format for analysis.
 5. Apparatus accordingto claim 1, arranged to supply live or real-time nodal data to themodelling apparatus so that the model can be updated to reflect acurrent state of the network.
 6. Apparatus according to claim 1,comprising a system for running the model in super real time tofacilitate one or more of fault analysis, fault/Qos failure, andcapacity planning.
 7. Apparatus according to claim 1, comprisinganalysis apparatus for analysing the model and for providing informationrelating to problems identified within the network, future capacityrequirements, and the effect of any future system load changes.
 8. Amethod of modeling a network comprising the steps of: inserting probesat a plurality of first network nodes and using the probes to obtainnetwork data for those nodes; analysing, from an external location,traffic to and from one or more second nodes in which probes are notinserted; using the traffic analysis to calculate at least onepredefined parameter and using the at least one parameter to define aprobability, distribution representing a behaviour profile between thesecond nodes and the external location; and combining the data collectedfrom the first nodes and the behaviour profile to create a model of thenetwork.
 9. A method according to claim 8 further comprising the step ofrunning the model in super-real time.
 10. A method according to claim 8wherein the model is analysed to provide information relating toproblems identified with the network, future capacity requirements, andthe effect of any future system load changes.